P4P Quality measure with CPT is not in our future

History

“The system is broke”, is a far more common phrase we continue to hear. Whether it is a politician eager to promote more support for healthcare reform, or a patient who is too frustrated due to the sheer volume of bills they get from 10 different entities, just to have one procedure for appendix removal. Even physicians who are penalized for using too many CPT codes or procedure count to treat a complex condition and get penalized from the payers for it under their P4P programs are saying it.

So this begs the question, is P4P Quality measures with CPT the right thing? We are seeing that many of these programs have not shown a tremendous adoption from physicians. Take the PQRI initiative, statistics have shown an average of $700.00 return per physician which is relatively low comparing it to the costs the practice has incur. This begs the question, is it worth looking at P4P programs and worrying about implementing them? Is the technology available to measure the outcomes of patient treatment over time?

Is it possible that physicians will be paid based on treatment outcome?

Well, if you review the ARRA and what 2015 will bring you will a clear indication as part of the meaningful Use goals to be“clinical outcome measures, efficiency measures and safety measures”, you will realize that there is a tremendous emphasis on outcome measures this might not mean that you care providers would be required to follow the recommendations, but it will mean that if CMS does make the outcome measure as a mean to reimburse you on patient treatment, then as we know Payers will usually just follow.

What are the current facts?

The good news this possible change would not affect the way physicians provide care. Many care providers do see and treat the patient based on some mental measurements and grading if the patient is or is not improving. But it does get sticky when a group needs to report on it on paper. Take for example a patient being treated for a broken wrist. We can measure the outcome of the treatment based on the level of Pain, we can track the range of movement of the wrist after the cast is done and we can measure the improvement on the amount of time it took to have the cast off. While in many cases the person’s body will dictate some of those results, but we can still benchmark the treatment outcome.




However, when you consider the patients with chronic disease such as End-Stage-Kidney disease then the complexity increases tremendously. During a recent presentation by CTG, they had a very interesting approach to this challenge. They basically created a Master Patient Complexity index that they can use measure the patient condition through well defined scientific measures such as: Age, Hemoglobin, Creatinine, Bun, BMI, Calcium, Potassium and so forth. With a plot as radar spokes as shown here(Values are based on fictitious data and do not represent actual patient information).

Result and the impact of this direction

This can potentially result in a shift of paradigm. Physicians may not be paid on how many procedures done, but the improvement of their patient’s overtime using a proven Master Patient Complexity index. The current recommended model by CTG looks very promising and may as well be a starting point. There have been implementations of similar models by other groups such as Mayo Clinic. This would also mean that EMR/PMS products would need to have a different approach to how payors are billed and properly display the progress or patient treatment outcome of time. It is just another fun day for BI (Business Intelligence) and health analytics.

Conclusion:

While physicians continue to focus on providing care to their patients one must remember that doctors do have to be compensated appropriately. Using CPT for a way to measure care quality is definitely not an acceptable method of measuring the improvement on quality care, so considering other approaches is a must, and looking for technology as a tool to facilitate makes more sense than ever. It also means that physicians must become more involved in product and measure development. This will ensure that future EMR products will answer to the providers needs, improved measures to assist patients with complex conditions and create an efficient reimbursement system.

ARRA or stimulus Health IT calculator

The American Recovery and Reinvestment Act of 2009 (ARRA) has far-reaching effects in healthcare. Stakeholders affected range from patients, private physicians, and large hospital networks. The Act includes a planned expenditure of $34 billion for HIT, with $32 billion going to hospitals and physicians, as an incentive to adopt certified, interoperable Electronic Health Records (EHRs).

I have been getting a lot of requests to help calculate the potential incentives available for a practice. Many administrators and executives are asking if this pay for us to go paperless or pay for a full EMR implementation? Well, as easy as it may seem, you have to analyze your own numbers. As a lawyer told a colleague today about first home buyers. "You will get up to 8,000 dollars". The keyword there is "UP TO". So, for many practices the notion that each provider will get the max allowed amount will be depending on a lot of things. For many of the work I have been doing, I have developed a small cheat sheet or a calculator that can help shed some light on what dollars you may be getting based on Medicaid or Medicare provision. If you are interested feel free to email me the answer to the following questions and I will send you the results with some projections.

Email me or post a comment to this blog and I will respond.

A place to start:

For Medicare

____:Year when meaningful use
____:Number of MDs in your practice
____:#total allowable for Medicare Patients for 2008

For Medicaid

____:Year when meaningful use was
____:Number of MDs in your practice
____:%of patients with Medicaid
____:#Avg. Technology Costs
____:number of Midwives or PA or NP
____:Yearly maintenance and technology costs after implementation
　
　

Are your patients' health information protected enough to save you from the FTC or the new HIPAA under ARRA rules

With the new burden of newer fines and higher penalties from the modified HIPAA under the ARRA, and the new FTC “Red Flag” regulations, now healthcare organizations must re evaluate their current security protocols and infrastructure to keep the HIPAA auditors at bay.

In today’s fast moving technology, it is very hard for anyone to ensure that the next web site they visit will not install harmful Trojans, that can potentially logged every key stroked, or simply steal some files from their computer that could contain private health information.

Everyday Americans fall victim to identity theft because of information being stolen from computers in healthcare environments. And that includes having their health records used or insurance information to obtain health services and procedures. We are accustomed to hearing that most data breaches occur at large scale operations such as the heartland breach that hackers had potential access to the personal data of 600 million or more cardholders, even few years before that, the story of the chain TJX that had more than 45 million customers data compromised. But all these are extremely hard to accomplished, and require sophisticated and most advanced hackers. But what if you were told that your doctor’s office would be the next target right now, right out of their parking lot? Or what If a simple URL can land one of your nurses on the wrong web site that will automatically install a Trojan, which in turn will gain access to health data.

There are several threats you should be aware of as a consumer or a healthcare administrator. Again, the intent of this article is not to force you completely get rid of your computers and wireless networks, but it is to provide you with information that can assist in understanding your environment and the potential areas that may need to be reviewed.


Internal Threats:
The internal threads to your patient data can be identified in many areas. Just to give you an example, last week I visit with few technicians over a medium healthcare office, and as we were going through the DR planning (Disaster Recovery Planning), I asked about the offsite back up. To my surprise I received the following statements “We are covered on that, I take the tapes with me home”, I did not put too much though into it as I asked the next question assuming that the answer would have been yes. “Well, I am sure the backups are password protected and you are encrypting it right!”. Wrong, I received the following reply “Why? They are already in a tape, you think a thief will know how to restore from a tape”. Puzzled and disappointed I began to explain that it would be wiser to find a more secure method to store the sensitive patient information, and explaining how that can really jeopardize the practice and potentially open the door for possible law suits. After I went back to the office, I did a simple search in Google for “How to restore from a tape” and found the following: Results 1 - 10 of about 3,720,000 for How to restore from a tape. (0.16 seconds) . It was clear to me that there was a disconnect between the IT and Privacy and Security requirements. It is critical that sensitive data must be secured, and should not be transported offsite on laptops, tapes or hard drives without the appropriate encryption and protection.

Another internal threat would be the viruses or Trojans that find their ways into computers that are either unprotected or simply have expired Antivirus. Many of these infections originate from web sites that the users visited by mistyping a URL or simply clicking on the wrong link from a personal email. This has been a commonly used method by hackers to gain access to private information on computers through Trojans, key loggers and other remote control methods.

In a world where there are all too many horror stories of scammers, we begin to hear about cases of patients using factitious identity or posing as someone else, and using their insurance cards to gain access to cosmetic or medical procedures where the victim becomes responsible for picking up the tab. We are in an environment where a patient rushing their child to be seen for an illness and they say “their spouse has the insurance card” while the front desk feels obligated to let them be seen, and later come to the realization that the practice now has to write-off the costs of the procedures and treatment after realizing that their insurance was terminated or was not even for the right person. An insurance card does not present the practice with a picture ID, and in many cases where a valid license is and can be a requirement for the patient, many seem to not require that verification and increase the risk of false identity. This becomes a bigger issue as much of the current proposed health reform where the practice will not be able to bill the victim for the balance nor their insurance for a case stolen of identity.



External:
For the most part all health organizations have some sort of firewall already established. This is the device that protects them from outside intruders. But without the right hardware, you are left with a firewall that a hacker can easily discover the default password to, and remotely gain access to your network, or even

With that being said, I have found numerous times where health organizations use a common tool that allows them to logon remotely to their servers such Microsoft Remote desktop (RDP) without VPN (Virtual private network). That means that the server is exposed to the internet through a specific port that hackers can attempt to use to gain access. Some cases Brute force is used (where a dictionary of password is used to try several combinations of passwords for the administrative user), others just a matter of a previous employee still having an active account can gain access, take the data and sell it for profit.

While the above two require fairly advanced knowledge of hacking, there are always few simple ones that can truly be a very easy way to tap into your system or infrastructure. Wireless!!! In many cases if you approach a hospital the wireless infrastructure is so advanced and robust that you can actually detect if there is any attempt to connect to the network without being on the safe list of devices allowed, you can even detect if someone plugs in a new wireless network within the hospital wireless range. But the challenge here again, is that we are discussing the vulnerability of some of our small to mid practices. The ones that simply can not justify the cost of a $800 or more for a single access point. These are the cases where a simple low cost access point, that you plug and play allows you to get on a “secured” wireless can easily be cracked. WEP (some of the commonly used encryption methods by small practices) has poor architecture, and has been identified in the hacker community you can find posts that show you “How To Crack 128-bit Wireless Networks In 60 Seconds”.


The consequences:
In previous years, the above threats would have most likely been considered urgent but not important. Let’s face it, there was no real threat out there to begin with. As a matter fact, even the office that was meant to enforce the HIPAA rules had not levied a single penalty against any HIPAA-covered entity in nearly five years since they began its implementation. What has changed that would force everyone to really take a good look on their current security and privacy readiness. Well, as part of the new ARRA few modifications to the law have been made under (Sections 13409-13411):

• Congress gave state attorneys general authorization to enforce the HIPAA thought civil enforcement actions
• It makes the business associates directly responsible for complying with key HIPAA privacy and security provisions. This meant that the cleaning crew, the third party IT support provider, software vendor, accountant and anyone that comes in contact with your infrastructure or medical and insurance information is sharing the responsibility and potentially liable.
• Fines have dramatically increased under the ARRA fines. You maybe imposed to pay up to 50,000 dollars per violation per calendar year and up to 1.5 million dollars.
• HHS is required to impose civil monetary penalties in circumstances where it finds that a HIPAA violation was willful.
• The criminal provisions were expressly made applicable to individuals.
• The HHS Secretary is now required to conduct periodic audits for compliance with the HIPAA Privacy and Security Rules.

Things to do to help you:

• Implement Password expiration and complexity policies
• Implement strict internet use policies for employees
• Ensure that your IT team properly secures your patient data repository services
• Run periodically security auditing tools
• Ensure that you are using antivirus on every piece of equipment that is connected to your network including cell phone as well.
• Ensure that your backups are password protected, encrypted and properly stored
• Ensure that your business associates agreements reflect the new changes and explain to your vendors what they mean and that their liability insurance covers the extent of the fines and costs that can be a result of data breach
• Ensure that your wireless is using stronger encryption method
• Require patients to present photo ID during registration and ensure you have a B&W copy of it (Color copies are illegal in NC).
• Use biometric check-in devices that ensure the identity of the patient if you are looking for a secure and fast way to identify and check-in patients
• Use network appliances that add an additional layer of protection against SPAM, email viruses and block unwanted traffic from web sites.
• Train and educate staff on proper internet use

Conclusion

Whether you are still using paper charts or completely paperless, patient privacy and security must be a high priority in your list, whether the ARRA enforces the new rules or not. Your clients your patient’s data protection must be addressed. It is like having health insurance, without it, you are taking major risks. There are several organizations that provide you with assistance or HIPAA audits. Some of which are freely available online. Your help desk and engineers need to understand the consequence as well as the importance of implementing the right technologies that are proactive in detecting intrusion as well as protecting all assets in your infrastructure.
Reda Chouffani